Setup steps for SSH connections to Amazon CodeCommit repositories on Windows - Amazon CodeCommit
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Setup steps for SSH connections to Amazon CodeCommit repositories on Windows

Before you can connect to Amazon CodeCommit for the first time, you must complete some initial configuration steps. After you set up your computer and Amazon profile, you can connect to a CodeCommit repository and clone that repository to your computer (also known as creating a local repo). If you're new to Git, you might also want to review the information in Where can I learn more about Git?.

Step 1: Initial configuration for CodeCommit

Follow these steps to set up an Amazon Web Services account, create an IAM user, and configure access to CodeCommit.

To create and configure an IAM user for accessing CodeCommit
  1. Create an Amazon Web Services account by going to and choosing Sign Up.

  2. Create an IAM user, or use an existing one, in your Amazon Web Services account. Make sure you have an access key ID and a secret access key associated with that IAM user. For more information, see Creating an IAM User in Your Amazon Web Services account.


    CodeCommit requires Amazon Key Management Service. If you are using an existing IAM user, make sure there are no policies attached to the user that expressly deny the Amazon KMS actions required by CodeCommit. For more information, see Amazon KMS and encryption.

  3. Sign in to the Amazon Web Services Management Console and open the IAM console at

  4. In the IAM console, in the navigation pane, choose Users, and then choose the IAM user you want to configure for CodeCommit access.

  5. On the Permissions tab, choose Add Permissions.

  6. In Grant permissions, choose Attach existing policies directly.

  7. From the list of policies, select AWSCodeCommitPowerUser or another managed policy for CodeCommit access. For more information, see Amazon managed policies for CodeCommit.

    After you have selected the policy you want to attach, choose Next: Review to review the list of policies to attach to the IAM user. If the list is correct, choose Add permissions.

    For more information about CodeCommit managed policies and sharing access to repositories with other groups and users, see Share a repository and Authentication and access control for Amazon CodeCommit.


If you want to use Amazon CLI commands with CodeCommit, install the Amazon CLI. For more information, see Command line reference.

Step 2: Install Git

To work with files, commits, and other information in CodeCommit repositories, you must install Git on your local machine. CodeCommit supports Git versions 1.7.9 and later. Git version 2.28 supports configuring the branch name for initial commits. We recommend using a recent version of Git.

To install Git, we recommend websites such as Git Downloads.


Git is an evolving, regularly updated platform. Occasionally, a feature change might affect the way it works with CodeCommit. If you encounter issues with a specific version of Git and CodeCommit, review the information in Troubleshooting.

If the version of Git you installed does not include a Bash emulator, such as Git Bash, install one. You use this emulator instead of the Windows command line when you configure SSH connections.

Step 3: Set up the public and private keys for Git and CodeCommit

To set up the public and private keys for Git and CodeCommit on Windows
  1. Open the Bash emulator.


    You might need to run the emulator with administrative permissions.

    From the emulator, run the ssh-keygen command, and follow the directions to save the file to the .ssh directory for your profile.

    For example:

    $ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/drive/Users/user-name/.ssh/id_rsa): Type a file name here, for example /c/Users/user-name/.ssh/codecommit_rsa Enter passphrase (empty for no passphrase): <Type a passphrase, and then press Enter> Enter same passphrase again: <Type the passphrase again, and then press Enter> Your identification has been saved in drive/Users/user-name/.ssh/codecommit_rsa. Your public key has been saved in drive/Users/user-name/.ssh/ The key fingerprint is: 45:63:d5:99:0e:99:73:50:5e:d4:b3:2d:86:4a:2c:14 user-name@client-name The key's randomart image is: +--[ RSA 2048]----+ | E.+.o*.++| | .o .=.=o.| | . .. *. +| | ..o . +..| | So . . . | | . | | | | | | | +-----------------+

    This generates:

    • The codecommit_rsa file, which is the private key file.

    • The file, which is the public key file.


    By default, ssh-keygen generates a 2048 bit key. You can use the -t and -b parameters to specify the type and length of the key. If you want a 4096 bit key in the rsa format, you would specify this by running the command with the following parameters:

    ssh-keygen -t rsa -b 4096

    For more information about the formats and lengths required for SSH keys, see Using IAM with CodeCommit.

  2. Run the following commands to display the value of the public key file (

    cd .ssh notepad

    Copy the contents of the file, and then close Notepad without saving. The contents of the file look similar to the following:

  3. Sign in to the Amazon Web Services Management Console and open the IAM console at


    You can directly view and manage your CodeCommit credentials in My Security Credentials. For more information, see View and manage your credentials.

  4. In the IAM console, in the navigation pane, choose Users, and from the list of users, choose your IAM user.

  5. On the user details page, choose the Security Credentials tab, and then choose Upload SSH public key.

  6. Paste the contents of your SSH public key into the field, and then choose Upload SSH public key.

  7. Copy or save the information in SSH Key ID (for example, APKAEIBAERJR2EXAMPLE).


    If you have more than one SSH key IDs uploaded, the keys are listed alphabetically by key ID, not by upload date. Make sure that you have copied the key ID that is associated with the correct upload date.

  8. In the Bash emulator, run the following commands to create a config file in the ~/.ssh directory, or edit it if one already exists:

    notepad ~/.ssh/config
  9. Add the following lines to the file, where the value for User is the SSH key ID you copied earlier, and the value for IdentityFile is the path to and name of the private key file:

    Host git-codecommit.* User APKAEIBAERJR2EXAMPLE IdentityFile ~/.ssh/codecommit_rsa

    If you gave your private key file a name other than codecommit_rsa, be sure to use it here.

    You can set up SSH access to repositories in multiple Amazon Web Services accounts, For more information, see Troubleshooting SSH connections to Amazon CodeCommit.

    Save the file as config (not config.txt), and then close Notepad.


    The name of the file must be config with no file extension. Otherwise, the SSH connections fail.

  10. Run the following command to test your SSH configuration:


    You are asked to confirm the connection because is not yet included in your known hosts file. The CodeCommit server fingerprint is displayed as part of the verification (11:7e:2d:74:9e:3b:94:a2:69:14:75:6f:5e:22:3b:b3 for MD5 or IYUXxH2OpTDsyYMLIp+JY8CTLS4UX+ZC5JVZXPRaxc8 for SHA256).


    CodeCommit server fingerprints are unique for every Amazon Web Services Region. To view the server fingerprints for an Amazon Web Services Region, see Server fingerprints for CodeCommit.

    After you have confirmed the connection, you should see confirmation that you have added the server to your known hosts file and a successful connection message. If you do not see a success message, double-check that you saved the config file in the ~/.ssh directory of the IAM user you configured for access to CodeCommit, that the config file has no file extension (for example, it must not be named config.txt), and that you specified the correct private key file (codecommit_rsa, not

    To troubleshoot problems, run the ssh command with the -v parameter. For example:

    ssh -v

    For information to help you troubleshoot connection problems, see Troubleshooting SSH connections to Amazon CodeCommit.

Step 4: Connect to the CodeCommit console and clone the repository

If an administrator has already sent you the name and connection details for the CodeCommit repository, you can skip this step and clone the repository directly.

To connect to a CodeCommit repository
  1. Open the CodeCommit console at

  2. In the region selector, choose the Amazon Web Services Region where the repository was created. Repositories are specific to an Amazon Web Services Region. For more information, see Regions and Git connection endpoints.

  3. Find the repository you want to connect to from the list and choose it. Choose Clone URL, and then choose the protocol you want to use when cloning or connecting to the repository. This copies the clone URL.

    • Copy the HTTPS URL if you are using either Git credentials with your IAM user or the credential helper included with the Amazon CLI.

    • Copy the HTTPS (GRC) URL if you are using the git-remote-codecommit command on your local computer.

    • Copy the SSH URL if you are using an SSH public/private key pair with your IAM user.


    If you see a Welcome page instead of a list of repositories, there are no repositories associated with your Amazon account in the Amazon Web Services Region where you are signed in. To create a repository, see Create an Amazon CodeCommit repository or follow the steps in the Getting started with Git and CodeCommit tutorial.

  4. In the Bash emulator, run the git clone command with the SSH URL you copied to clone the repository. This command creates the local repo in a subdirectory of the directory where you run the command. For example, to clone a repository named MyDemoRepo to a local repo named my-demo-repo in the China (Beijing) Region:

    git clone my-demo-repo

    Alternatively, open a command prompt, and using the URL and the SSH key ID for the public key you uploaded to IAM, run the git clone command. The local repo is created in a subdirectory of the directory where you run the command. For example, to clone a repository named MyDemoRepo to a local repo named my-demo-repo:

    git clone ssh:// my-demo-repo

    For more information, see Connect to the CodeCommit repository by cloning the repository and Create a commit.

Next steps

You have completed the prerequisites. Follow the steps in Getting started with CodeCommit to start using CodeCommit.